Home > Computing > The Elusive NTCollector.exe

The Elusive NTCollector.exe

I experienced one of those few occasions where I drew a complete blank in Google. I was looking for ntcollector.exe, and only found direct 4 hits, none of which were relevant.

The reason I was looking for it: a process by that name was eating up 99% of my CPU cycles on my media center, while using less than 1Mb of RAM. It popped up from nowhere after a random period of time, chewed the CPU until I saw and killed the process, and then sprung up again some time later.

Eventually I tracked it down with the help of Process Explorer – an amazingly useful Microsoft tool you should always use instead of XP Task Manager! It showed that NTCollector was actually a child of a Java process, which was in turn running as part of a system monitoring package I was using: NT Collector takes events from the Windows event log, and passes them to the monitor. It seems one instance normally ran well-behaved, but then seemed to break loose from the Java app and run wild. The Java app sensed the loss of the process, and created a new one – which would also break loose after a while.

Anyway – I’ll probably uninstall the app at some point, but until then, I can de-prioritise and suspend the process easily enough.

Categories: Computing
  1. Andrew
    January 8, 2008 at 2:42 am

    What package/system management tool uses this utility?

  2. Spekx
    January 8, 2008 at 9:41 am

    In this case, it was an proprietary agent which used NTCollector to read the Windows Event Log and send them back to a central log archive; similar to SNARE.

  3. William
    March 8, 2008 at 7:09 am

    I have found that NTcollector.exe appears to be a part of the Arcsight log collection agent aka: Arcsight Connector.

    I have this installed on a number of servers and have recently experienced the high CPU utilization mentioned in the original post. With Multiple instances running and consuming between 60-99% CPU utilization for long periods of time.

    I have suggested to our security group that these data should be removed/un-installed from these servers until a explanation for this can be provided by Arcsight.

    A simple transfer of event log data should not have these severe consequences.

    Any other information would be helpfull.


  4. Spekx
    March 9, 2008 at 8:41 pm

    For high event rates, it seems the Connector can be resource-intensive. Increasing RAM utilisation sometimes helps.

    In any case, I understand ArcSight recommend installing the Connectors on a dedicated server away from the server being monitored, and then collect the events via WMI, to avoid any additional CPU/RAM utilisation on the monitored device.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: